Well according to "Unix Network Programming" Volume 1 2nd edition,
section 4.5 page 98:
"If the queues are full when a client SYN arrives, TCP ignores the
arriving SYN (pp 930-931 TCP/IP Illustrated Vol 2 , it does not send an
RST. this is because the considtion is considered temporary, and the
client TCP will retransmit its SYN, hopefully room on the queue in the
near future. ...... Posix.1g allows either behaviorL ignoring the new SYN
or responding to the new SYN with an RST. Historically, all
Berkeley-derived implementations have ignored the new SYN"
Hopefully that answers your quesiton, AFAIK this should be pretty
accurate.
Take care
On Thu, 12 Apr 2001, Portnoy, Gary wrote:
> Greetings
>
> Two completely unrelated questions:
>
> 1. If a machine is being SYN flooded, once the connection queue is filled,
> is it
> a) going to respond with RST,
> b) going to respond with ICMP Source Quench
> c) not going to respond at all.
>
> The reason I am asking is that once in a while, I see packets with R and A
> bits set destined to a few hosts on my network that are silent. The only
> logical explanation is that their IP's are used in a spoofed flood attack,
> and the RSTACK are the residuals. Am I correct?
==========================================================================
--"the more you know and understand the more you must know and understand
.. knowledge is an unsatiable hunger .. which makes life easier and at
the same time harder .... knowledge is a paradox w/ no resolution just
a boundless function of human nature .... knowledge is a trap which we
embrace and which we run away from .... and in the end the only escape
is death .... or maybe not "<grin>--
==========================================================================
-This message transmitted on 100% recycled electrons-
-Save the whales, Feed the hungry, Free the mallocs-
Two cats on a roof,
Which one falls off first?
The one with the smaller mew.
This archive was generated by hypermail 2b30 : Sat Apr 14 2001 - 09:46:20 PDT